Server-Side Request Forgery Vulnerability in Ivanti Connect Secure
CVE-2024-21893
Key Information:
Badges
What is CVE-2024-21893?
CVE-2024-21893 is a server-side request forgery (SSRF) vulnerability found in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access (ZTA). These products are designed to provide secure access solutions for enterprises, facilitating remote work and protecting sensitive data. This vulnerability allows an attacker to access restricted resources without proper authentication, posing a significant risk to organizations that rely on these systems for secure connectivity.
Technical Details
The vulnerability affects specific versions of Ivanti Connect Secure and Ivanti Policy Secure (versions 9.x and 22.x). It exploits the SAML component, enabling unauthorized requests to be sent to internal resources. This flaw can be leveraged by malicious actors to bypass security mechanisms, essentially allowing them to retrieve information or initiate interactions with back-end systems that should be inaccessible without authentication.
Impact of the Vulnerability
-
Unauthorized Access: Exploiting this vulnerability can allow attackers to gain access to sensitive internal resources without proper authentication, potentially exposing confidential data.
-
Data Breach Risks: The ability to interact with restricted back-end systems increases the risk of data breaches, leading to the potential theft or manipulation of sensitive information.
-
Increased Attack Surface: Organizations utilizing the affected Ivanti products may find their overall security posture weakened, as attackers can exploit this vulnerability to launch further attacks or establish footholds within the compromised systems.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
ICS 9.1R18
ICS 22.6R2
IPS 9.1R18
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Ivanti’s bug-plagued network appliances attacked using fresh exploit
Multiple threat actors have begun exploiting one of four recently discovered flaws afflicting the vendor’s VPN and network gateway products.
3 weeks ago
Red Hot CyberTIM Red Team Research scopre un Bug di CSV Injection su Ericsson Network Manager (ENM)
Il laboratorio di ricerca sui bug di TIM il Red Team Research, rileva un bug sul prodotto Ericsson Network Manager (ENM) ed Ericsson emette un bollettino.
9 months ago
CSO OnlineAttackers target new Ivanti XXE vulnerability days after patch
The new vulnerabilities were introduced by a fix for the previous Ivanti flaws, and customers are urged to install a new update.
11 months ago
References
EPSS Score
95% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 🟡
Public PoC available
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by Dark Reading
Vulnerability published
Vulnerability Reserved